strange problem with ipfw and rc.conf
fbsd_user at a1poweruser.com
Thu Jan 26 17:56:28 PST 2006
Your problem is you have rc.conf loading 2 different firewalls
at same time.
IPFW which is compiled into your kernel as firewall and
ipfilter which you have rc.conf starting. You don't need to
compile either one of the firewalls into the kernel to work.
You need to read the firewall section of the handbook.
It contains a very complete usage description of the 3 firewalls
that come with FreeBSD.
I would recommend you use ipfilter as your firewall.
IPFW is for the experienced firewall user who has FW
requirements needing functions not provided by one of the
other FW's delivered with the base FreeBSD install.
And since it looks like you have 3 private circuits on your
LAN you will need NAT function and nat in ipfilter is so much
easier to set up than ipfw when using the keep state function
in your rules file.
The handbook ipfilter sample rules sets work as is.
Just copy and past into your own rules file and your pretty
much good to go after following the comments.
And another thing, its not acceptable behavior to cross post
to 2 lists with same question.
This question does not belong in freebsd-security at freebsd.org.
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of gahn
Sent: Thursday, January 26, 2006 6:35 PM
To: freebsd security; freebsd general questions
Subject: strange problem with ipfw and rc.conf
I have strange probelm with rc.conf. I set up ipfw
(compiled into kernel) on freebsd-5.4 and it doesn't
seem to load ipfw rulesets (it uses default ruleset
65335 locking out everything). I have to do "sh
/etc/ipfw.rules" in order to load the rulesets, once I
did that, I can access the box from remote locations
here is my rc.conf:
host# more /etc/rc.conf
network_interfaces="lo0 em0 dc0 rl0 plip0"
route_net1="-net 192.168.0.0/22 192.168.1.1"
route_net2="-net 10.10.0.0/16 10.10.128.1"
also my customized kernel (partial):
#enable logging to syslogd(8)
options IPFIREWALL_VERBOSE_LIMIT=10 #limit
#options IPFIREWALL_DEFAULT_TO_ACCEPT #allow
everything by default
#packet destination changes
options IPFIREWALL_FORWARD_EXTENDED #all
packet dest changes
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
freebsd-questions at freebsd.org mailing list
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions